CVE-2020-21688

Name	CVE-2020-21688
Description	A heap-use-after-free in the av_freep function in libavutil/mem.c of FFmpeg 4.2 allows attackers to execute arbitrary code.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-3010-1, DSA-4998-1, DSA-5126-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
ffmpeg (PTS)	bullseye	7:4.3.7-0+deb11u1	fixed
	bullseye (security)	7:4.3.8-0+deb11u3	fixed
	bookworm, bookworm (security)	7:5.1.6-0+deb12u1	fixed
	sid, trixie	7:7.1.1-1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Origin
ffmpeg	source	stretch	7:3.2.18-0+deb9u1	DLA-3010-1
ffmpeg	source	buster	7:4.1.9-0+deb10u1	DSA-5126-1
ffmpeg	source	bullseye	7:4.3.3-0+deb11u1	DSA-4998-1
ffmpeg	source	(unstable)	7:4.4-5

Notes

https://trac.ffmpeg.org/ticket/8186
http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=22c3cd176079dd104ec7610ead697235b04396f1 (4.4)
http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=f7c9b1ed56b98eede5756d6865a10305982b4570 (4.1.9)
http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=f1a77222da98dbe4b8eeda54d68deefe6adcd299 (3.2.17)